In the current two-article series, we review the Exchange Online PowerShell command Get-MessageTrace, that is used to view and export information about incoming and outgoing mail transaction that are saved in the Exchange Online Logfiles.

In the first article, we provide a basic introduction to the Get-MessageTrace PowerShell command, and to her “sister” the Get-HistoricalSearch PowerShell command. Another important concept that we review is the concept of “Date range” that considers as an essential component when using the Get-MessageTrace PowerShell cmdlet. In the next article, we provide various types of example to the user of Get-MessageTrace with different parameters and filters such – sender, recipient, subject, IP address and so on.

How to get information stored in Exchange Online log files?

In Exchange Online (Office 365) based environment, every incoming and outgoing mail transaction is “registered” in the Exchange Online log file.

The ways that are available for us, looking at the content of the Exchange Online log file is via the web base interface of Exchange Online admin center or by using PowerShell commands.

When using PowerShell in Exchange Online (Office 365) based environment for query and export information that’s stored in Exchange Online log files, there are two major PowerShell commands that we can use Get-MessageTrace and Get-HistoricalSearch.

Get-MessageTrace Advantages and Disadvantages

Advantages

We can use the Get-MessageTrace PowerShell command for view + export information to file “in real time” (in the next section, I will explain the way I use the term “real time”).

Disadvantages

The maximum time frame that is available for us when using the Get-MessageTrace PowerShell command is 30 days. In other words, we cannot use the Get-MessageTrace PowerShell command for “fetching” information that is stored in the Exchange Online server log that is age is over 30 days, even though Exchange Online saves mail transaction log information for a period of 90 days.

The information that we can display on the PowerShell console or export to a file can be considered as very basic information that doesn’t include a detailed information about the specific mail transaction. Note – we can add the PowerShell commandGet-MessageTraceDetail for getting additional information, but the information that we can get is still basic versus the information that we get from the PowerShell command – Get-HistoricalSearch

Get-HistoricalSearch Advantages and Disadvantages

Advantages

Using the Get-HistoricalSearch, we can get a very detailed information about each mail transaction that was registered in Exchange Online server log files.

When using the Get-HistoricalSearch PowerShell command, Exchange Online provides us an extended time frame of 90 days. In other words, we can look for mail transaction information for a period of 90 days (versus the 30-day limitation when using the PowerShell commandGet-MessageTrace).

Disadvantages

When using the PowerShell command Get-HistoricalSearch, the “request for information” is registered as a “task” in Exchange Online, and executed Only after several hours.

The information that we get from the PowerShell command Get-HistoricalSearch can be overwhelming (TMI – too much information), and it’s not easy to read and understand the large chunk of information.

Recap

The main advantage of the PowerShell command Get-MessageTrace is its ability to quickly and Effectively help us to get a “high level” information about the mail transaction that registered in the Exchange Online log file.

In case that we need to perform deeper level investigation about a specific mail transaction that was registered in the Exchange Online log file, or gets information about mail transaction older than 30 days, we will need to use the PowerShell command – Get-HistoricalSearch.

Note – At the current time, there is no way for getting the detailed information that appears in the exported file when using the PowerShell command Get-HistoricalSearch by using the Exchange Online web based interface.

When using the Get-MessageTrace command, there are two major syntax methods, that we can use for defining the time range

Option 1 – by “manually writing” the specific dates (the start date and the End date) in the format of month, day and a year (described as <mm/dd/yyyy>).

Option 2 – by using the PowerShell function

The other method which I prefer to use is a method in which we use the PowerShell function – Get-Date.

As the name implies, the Get-Date PowerShell function “fetch” the information about the current time. The information includes the current second, minutes, hour, day, month and a year.

When using the Get-MessageTrace command, the Get-Date PowerShell function is used for defining the “End-Date”.

The “Start-Date” defined by using “time units” such as “AddHours” or “Adddays”, and subtracting this time unit from the current date.

In the following example, we define a time range of “30 days” by using the time unit “Adddays” and using the value “-30”.

This syntax is “telling” PowerShell that we want to define a date that is calculated by subtracting 30 days from the current time (the current time that we get from the Get-Date PowerShell function).

Get information about sent\received Emails in a specific time range | Specifying dates using “basic syntax”.

PowerShell command syntax

1

Get-MessageTrace-StartDate<mm/dd/yyyy>-EndDate<mm/dd/yyyy>

PowerShell command example

1

Get-MessageTrace-StartDate01/01/2017-EndDate01/30/2017

In the following section, I would like to review a couple of examples if defending time range by using the “other method” in which we use the Get-Date PowerShell function as a baseline + additional PowerShell time unites the functions such as – AddHours, Adddays etc.

Get information about sent\received Emails in a specific time range | Last X minutes.

Display all Exchange E-mail messages, that were sent and receive in the last 30 minutes.

Get information about sent\received Emails in a specific time range | Last X Hours.

Display all Exchange E-mail messages, that were sent and receive in the last 30 hours.

PowerShell command example

1

Get-MessageTrace-StartDate(Get-Date).AddHours(-30)-EndDate(Get-Date)

Get information about sent\received Emails in a specific time range | Last X Days.

Display all Exchange E-mail messages, that were sent and receive in the last 30 days.

PowerShell command example

1

Get-MessageTrace-StartDate(Get-Date).Adddays(-30)-EndDate(Get-Date)

Get information about sent\received Emails in a specific time range | Last X Mounts.

Display all Exchange E-mail messages, that were sent and receive in the last 1 Mount.

PowerShell command example

1

Get-MessageTrace-StartDate(Get-Date).AddMonths(-1)-EndDate(Get-Date)

Define a time range using variable

In case that you want to avoid from typing long and complex date values, you can use the method, in which the time range will be defined using variables.

The variables that we define, will “contain” the required date range.

The Get-MessageTrace command that we use, define the time range by using the variables that were defined in the “former step.”

PowerShell command example

1

2

3

4

$DateEnd=Get-Date

$DateStart=$DateEnd.AddHours(-30)

Get-MessageTrace-StartDate$DateStart-EndDate$DateEnd

“Clean” the displayed results from unnecessary information

When we use the MessageTrace PowerShell command in an Exchange Online environment without a very specific filter, the “output” includes unnecessary information (white noise) about “systems” and internal Exchange Online mail messages.

In the following example, we can see information about “system emails”, that is not relevant to our search.

In case that we want to “clean” the search result by removing the information about the “system emails”, we add filters that will instruct PowerShell to “ignore” specific emails such as the system emails.

The next article in the current article series

Now it’s Your Turn! It is important for us to know your opinion on this article

Please rate this

Sample rating item

Summary

Article Name

Using Get-MessageTrace PowerShell command for viewing and exporting information on mail sent and received | Exchange Online | Part 1#2

Description

In the current two-article series, we review the Exchange Online PowerShell command Get-MessageTrace, that is used to view and export information about incoming and outgoing mail transaction that are saved in the Exchange Online Logfiles.